[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Issue #68: VPNs with overlapping IP address ranges (was Re: 2401bis issues (possible) resolution)




Tero Kivinen writes:
> I do not think there is any need to negotiate the VPN subscriber ID
> between the parties. The VPN subscriber ID is internal to the SGW, and
> it is not going to trust anything the other end sends.
> 
> If I have understood correctly about the case it is something like
> this:

I am not sure about Mark's scenario but when I suggested to add a VPN ID
as a P2 selector a few years back, the scenario I had in mind was different
than the one you suggested. It was something like this:

                        +-----+                +-----+
Corp A (10.1/24)--(L2)--| ISP |==={Internet}===| ISP |--(L2)--Corp A (10.2/24)
Corp B (10.1/24)--(L2)--| SGW |<==ipsec flow==>| SGW |--(L2)--Corp B (10.2/24)
                        +-----+                +-----+

As you can see, in this scenario the IPsec connection is made between
the ISP SGW's, on behalf of the corporate sites. The connectivity
between the corporate sites and the ISP is some "trusted" L2 connection.
The ISP SGW's can tell which traffic belongs to which IPsec SA based on
interface ID, virtual router, etc.

In this scenario, for scalability reasons, it would be desirable
to the ISP SGW to have a single P1 between the security gateways,
and multiple P2's, one for each corporate flow. Today, that requires
individual P1/P2 pairs. That's where a VPN-ID associated with a given
P2 would help.

I cannot say that I feel as strong about this as I once did,
but it may be helpful.

Claudio.

---
Opinions expressed are my own.